It's been a long time since the last TBTF and we have a deal of
catching up to do. Let's get to it.

..Trial delayed

On 9/14 the judge hearing the Microsoft antitrust case rejected the
largest US corporation's [1] bid to throw it out of court. Judge
Thomas Penfield Jackson did dismiss one of the charges filed by 20
states [2]. He cited recent legal precedent against the idea of
"leverage" in antitrust cases -- rejecting the states' allegation
that Microsoft tried to leverage its Windows monopoly for compet-
itive advantage in the market for Internet browsers. The judge let
stand a similar charge in the DoJ's case that does not rely on the
leverage argument.

In separate action, Judge Jackson allowed a request by both sides
for a 3-week delay in the trial's start date, to October 15.

On 10/6 the Justice Department swapped in two new witnesses (keep-
ing to the limit of 12) and Microsoft followed suit [5] later in the
week, asking the judge for a 3-week delay to depose the new players.
(But a Microsoft lawyer said what the company really needs is a "more
normal" schedule, leading to a trial date next year.) On 10/9 Judge
Jackson granted a further delay of only four days, to October 19 [6].

..Give me your papers

Also last week, Microsoft filed a motion to obtain from two uni-
versity professors the tapes and transcripts of interviews with
Netscape employees who admit to mistakes that led to the company's
decline. The interviews are quoted in a not-yet-released book,
"Competing on Internet Time," by Michael Cusumano of MIT and David
Yoffie Harvard. On 10/9 a judge in Boston turned down this request
[7]. The book had been slated to go on sale in January, but Simon\
& Schuster moved up its release to later this month.

..And other stories

Finally, the NY Times has the best coverage of Microsoft's other
legal woes [8] (free registration and cookies required) -- separate
lawsuits filed by Sun, Caldera, and Bristol Technologies, a Rhode
Island company alleging unfair trade practices in Microsoft's lic-
ensing of Windows NT.

Don't be surprised if similar announcements come from other open-
software vendors

On 9/29 Red Hat Software announced equity investments from Intel,
Netscape, and venture capital firms Benchmark Capital and Greylock
[9]. Red Hat provides documentation, customer support, and tools
to help users install and modify the freely distributed Linux op-
erating system. This funding will help the company serve its corpor-
ate customers who demand accountability and 7x24 service as a part
of their Linux purchase.

Dan Brumleve wrote with word of a new vulnerability he had discov-
ered in all versions of Netscape Navigator. (Internet Explorer is
immune.) See the exploit page [10]. The exploit, which Brumleve calls
Cache-Cow, captures the entire browsing history of the victim's copy
of Navigator, including all form data that has ever been sent via
the GET method -- including any passwords. The exploit uses Java-
Script to compromise all versions of Navigator prior to 4.06; a
slightly reworked version of the CGI script [11] fells 4.06 as well.

According to one security researcher, the same vulnerability can be
exploited via email. This means your browser cache could be stolen
if you simply read an email message.

Netscape acknowledged the Cache-Cow vulnerability [12] and released
version 4.07 of Navigator and Communicator to fix it. Five days
later Brumleve posted Son-of-Cache-Cow [13] (Cache-Calf?). It steals
the cache off of 4.07 in exactly the same way. Netscape has acknow-
ledged [14] this one too, calling it the Injection Bug. Unlike the
earlier acknowledgement [12], this one does not mention Brumleve by
name. Perhaps they're getting annoyed with him.

A more serious security threat affecting Internet Explorer 4.01 was
discovered by Web developer Juan Carlos Garcia Cuartango. Using the
Cuartango Hole [15], an attacker can steal any file off your disk for
which the name and location are known or can be guessed. Here is the
discoverer's exploit page [16]. Microsoft has confirmed the problem
and is working on a fix, Wired reports [17], but I couldn't find any
mention of Cuartango on Microsoft's security site [18].

Eric Scheid forwarded this tidbit from the TidBITS newsletter. In-
ternet Explorer versions 3.x and 4.x on Windows and Macintosh is
susceptible to what Microsoft is calling the Cross-Frame Security
Bug [19]. In all cases the supplied patch works on 4.01 versions of
the browser; users of earlier versions are advised to upgrade and
then to download the patch. The bug would allow an attacker to
access files on local disks [20]. Under Windows, any program that
uses the IE HTML engine (such as Quicken and Eudora) would also be
vulnerable until the IE patch was applied.

TBTF for 11/24/97 [21] brought you news of Geoffrey Davidian's lonely
fight against the forces of darkness in the town of Cookeville, Ten-
nessee. Davidian, publisher of a local muckraking newspaper, brought
suit in federal court after being denied access to browser cookie
files from the town government's computers. Davidian wanted to check
whether public servants were accessing pornography on the public's
nickel, he said. In late September U.S. District Judge Thomas Higgins
dismissed the publisher's lawsuit but left the legal question of whe-
ther cookie files are public records up to the state [22]. (Those who
prefer sites that don't force-feed cookies can read coverage here [23].)
Davidian has said he will appeal the decision.

If you haven't done so, please visit the 284 Most Hypocritical Mem-
bers of Congress page [24]. For two days after the previous issue
[25] came out this page was linked from Slashdot [26] ("News for
nerds. Stuff that matters.") and the TBTF site enjoyed its busiest
day ever by a factor of more than two. (The archived discussion is
here [27].) Memo to Rob Malda, a.k.a. Cmdr. Taco, the proprietor of
Slashdot: you're sitting on a gold mine there, and I hope you know
it, and I hope you thrive. The meme [28] that it may be considered
hypocritical to vote for the Communications Decency Act and then
to vote to release the Starr report has gotten wide currency. The
page was linked from a number of conventional news sites including
PC Week, and also from a number of sites with which I wouldn't or-
dinarily wish to be associated (First Amendment politics making for
the strangest of bedfellows).

I'm delighted to report that the Hypocrites page is now getting hits
from users searching for the names of particular politicians in com-
mercial search engines. Warms the cocktails of my heart, it does.

Herewith a quick summary of some of the fallout from the Starr Re-
port.

> The quality and quantity of material you have assembled > in your report contains more pornographic references than > those provided by Hustler Online services this month.

- A German journalist is pushing for the criminal indictment
of Starr under that country's laws for knowingly publishing
pornography on the Net [30].

- And as the Son of CDA [31] made its way through the US Congress,
G-rated Walt Disney Co. lobbied hard to relax the proposed
rule [32]. The company fears that, with its current wording,
CDA-II would require them to demand a credit card as proof of
age from all visitors to disney.com.

It won't be a huge genre -- there's not enough time left -- but the
coming troubles have now inspired the first Y2K technothriller. Read
"Y2K: It's Already Too Late" by Jason Kelly [33] (paperback, self-
published) and follow the fictional exploits of a software engineer
as he struggles to save the world after the bug tanks human socie-
ties worldwide. I haven't read this book. Amazon's reader reviews
are more than usually polarized: Tom Clancy fans, or those simply in
search of a good yarn, are panning it, while those who believe Jan-
uary 1, 2000 will dawn on the End Of Civilization As We Know It are
giving the book five stars. Thanks to Declan McCullagh for the item,
and the title.

On 10/1 Congress unanimously passed [34] the Year 2000 Information
and Readiness Disclosure Act, a day after its quick passage in the
Senate. The President is expected to sign it into law quickly. The
bill would let companies share information on how to fix the year
2000 computer problem without worrying about lawsuits if the in-
formation turned out to be wrong.

How to get early warning on the effects of the Y2K bug? Look east as
many timezones as you can on December 31, 1999. The head of a Senate
committee on the Y2K problem, Bob Bennett (R-Utah), said a Year 2000
"First Alert" system [35] focused on what happens as New Zealand and
other Pacific countries pass midnight would give the United States
more than 17 hours notice of how utilities and transport services
may be disrupted.

This image [36] (77K) is signed "Mars" and looks like the work of a
professional political cartoonist. It's scattered about the Web now;
Altavista turns up 29 instances of it. The earliest one I saw was
dated September 2.

Once a year the Leonids put on a light show (a meteor shower), and
three times a century it's directed by William Berkeley Enos [37] (a
meteor storm). Every year on November 17 and 18 earth's orbit passes
through that of the comet formerly known as Tempel-Tuttle and for-
tunate watchers may see 5 to 10 meteors a minute in midnight skies.
Every 32 years we run into the vicinity of what used to be the
comet's head and the shooting-star count can rise to 10,000 a min-
ute. Most of the meteoroids are smaller than grains of sand. Five
weeks from now this 155,000-mph travelling sandblast will arrive at
an earth bejeweled with satellites [38]. The meteoroid density may be
as high as one in every square meter; if so then every satellite in
orbit will get hit. NASA plans to turn the eye of the Space Tele-
scope away from the onslaught [39] and other satellite owners with
mobility will turn their birds for minimum cross section in the dir-
ection of the constellation Leo. November 1999 could be worse.

On August 27 an exotic star two-thirds of the way to the galactic
core caused ten X-ray satellites to sit up and take notice. It
blasted them with gamma radiation strong enough to penetrate their
shielding and overload some of their instruments, regardless of
where in the sky they happened to be pointing. The blast ionized
earth's upper atmosphere at night as strongly as the daytime sun.
It came from the star SGR 1400+14 in the constellation Aquila, one
of four soft gamma repeaters discovered since 1979. This NASA page
[40] (loads 135K, mostly images) details the event and provides back-
ground on magnetars -- postulated neutron stars with magnetic fields
exceeding a quadrillion times that of earth, or 1000 times stronger
than those of "ordinary" pulsars. Magnetars were first hypothesized
in 1992 and the first solid evidentiary sighting came in May of this
year [41].

The gamma-ray pulses are generated by starquakes, in which the neu-
tron star's iron crust is deformed so far by magnetic forces that it
cracks. Pent-up energy is released and seismic waves produce a flash
of X-rays. Such a starquake can release 10^19 times more energy than
the 1906 San Francisco earthquake, 20.1 on the Richter scale [42].
Here's a graph [43] of the 12-minute energy tail following the August
27 quake. The energy released in the first instant equaled the Sun's
output over 1000 years, or enough energy to run all of earth's civ-
ilizations for a billion billion years at the current burn rate. The
astronauts aboard Mir each sustained a whole-body radiation dose
equivalent to a dental X-ray.

If this article [44] is serious and aboveboard, a Scottish fabric
company is working with a NASA spinoff headed by Dr. Robert Forward
to develop ropes to swing spacecraft to the moon. Just like Tarzan,
only in space you couldn't hear him yodel. I'm flummoxed. Readers
conversant with physics: please write (dawson@world.std.com) dis-
cussing whether or not this article, and the idea behind it, makes
the slightest bit of sense. Thanks to Jon Callas for the item.

The NANOG mailing list, stalwart of network operators everywhere,
has lately carried news of more than the usual number of optical-
fiber bundles cut by rampaging backhoes. Last Thursday this note,
from a local newscast, was posted to the list:

> [Atlantic County, NJ] While attempting to wreak havoc on the > world's telecommunications infrastructure, a backhoe mistook > a gas main as a fiber optic cable. The evil yellow beast was > destroyed in the resulting fireball.

The ensuing discussion thread [45] "Internet 1, Backhoe 0" turned
up many examples of the Net's revenge fantasies; two of the best
are BizarroLand's [46] and Adam Rothschild's videorealistic essay
[47] (103K).

> Alaska was pretty wonderful, thanks for asking. But TBTF took three
weeks off instead of the planned two courtesy of a bug (it was
definitely not a feature) that got to me in the recirculated sub-
stance that passes for air on a transcontinental flight. Several
folks wrote with suggestions for Net access while on a cruise vac-
ation and Marc Kupper provided the mother lode. Follow this link
[48] if you're interested in a brief essay titled "An Alaska Cruise:
Net Access and What I Read."